Penn State University Cuts Internet After Chinese Cyberattack

Penn State University said Friday that it disconnected the network of its college of engineering from the Internet in response to two cyberattacks, with at least one believed to be conducted by threat actors based in China.

According to an announcement by the University on Friday, the institution was alerted by the FBI on Nov. 21, 2014 of a cyberattack of “unknown origin and scope on the College of Engineering network by an outside entity.”

Penn State hired FireEye-owned Mandiant to investigate the incident, which has confirmed that at least one of two attacks was carried out by a threat actor based in China, using advanced malware to attack systems in the college.

“In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” said Nicholas P. Jones, executive vice president and provost at Penn State. “Any abnormal action by individual users could have induced additional unwelcome activity, potentially making the situation even worse.”

According to Penn State, Mandant’s investigation discovered the presence of two previously undetected attackers within the college’s network. The investigation also revealed that the earliest known date of intrusion is September 2012.

The University did not expain how the attack was attributed to China.

“This was an advanced attack against our College of Engineering by very sophisticated threat actors,” said Penn State President Eric Barron in a letter to the Penn State community. “This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat.”

The outage is expected to last for several days.

The University said there is no evidence to suggest that research data or personally identifiable information (such as Social Security or credit card numbers) have been stolen, however, investigators do have direct evidence that a number of College of Engineering-issued usernames and passwords have been compromised, and a small number have been used by the attackers to access the network.

All College of Engineering faculty and staff at University Park will be required to choose new passwords for their Penn State access accounts. Additionally, engineering faculty and staff looking to access college resources remotely via a VPN connection will be required to use two-factor authentication, the University said.

“In several days, our College of Engineering will emerge from this unprecedented attack with a stouter security posture, and engineering faculty, staff and students will need to learn to work under new and stricter computer security protocols," Barron added. "In the coming months, significant changes in IT security policy will be rolled out across the University, and all of us as Penn Staters will need to change the way we operate in the face of these new and significant challenges. This new threat must be faced head-on, not just by Penn State but by every large university, business and government the world over. This is a new era in the digital age, one that will require even greater vigilance from everyone.”

“This should be a wake up call to other colleges and universities, it is rare for only one institution to be targeted by an active cyber espionage campaign," Ken Westin, senior security analyst for Tripwire, told SecurityWeek.

"Given that the group was targeting engineering departments it’s pretty clear that the attacker were looking intellectual property. Many times there is deep collaboration between higher education and private industry to commercialize research, and this combined with the fact that higher education generally lacks the resources to develop a strong security posture makes them a high value target for sophisticated attackers."

"I hate to be the bearer of bad news, but I think there are quite a few more breaches like this. Some of them have been detected, but many haven’t,” Westin said.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.